Skillset

The widespread use of mobile applications comes with a full range of new attacks formerly not relevant in the classic web application world. Fortunately, pentesters can help make sure corporate apps provide sufficient data protection.

Pentesting mobile applications should be a critical part of your overall security strategy. To help you facilitate this process, here are six mobile security testing tools for intrusion testing on both Android and iOS:

QARK was designed to be flexible tool; it can be used either by developers, as part of the SDLC, or by security personnel. It has the ability to perform static code analysis on source code or existing APKs.

QARK can be run in interactive or scriptable mode, and creates reports highlighting discovered vulnerabilities and possible security issues. Additionally, when possible, it will create either ADB commands to verify a vulnerability, or optionally, build an APK customized to attempt vulnerability verification for discovered issues.

OWASP Zed Attack Proxy Project (ZAP) is a free security tool that can help pentesters to automate the process of finding security vulnerabilities in both web applications and mobile apps.

Using ZAP, it is possible to craft and send malicious messages to assess mobile app security. It works by attacking server-side resources through malicious messages. It is also possible to check for vulnerabilities by reverse engineering the communication protocols.

IBM Application Security on Cloud can import both APK and IPA files, scan for vulnerabilities and create a report on vulnerabilities. The report details how vulnerabilities could be exploited by an attacker, while also providing information about how to correct the issue.

The focus here is on eliminating vulnerabilities from applications before they are placed into production and deployed, so there is no integrated exploitation module. But pentesters can still make good use of IBM Application Security on Cloud for analyzing both iOS and Android apps, identifying vulnerabilities and exploiting apps either manually or with the help of other solutions.

Drozer is a security testing framework for Android. It allows a pentester to search for security flaws in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

Drozer is an interactive tool, meaning a pentester will be required to install Drozer at his workstation and establish a session with the targeted Android device (either physical or emulated). This way, it is possible to select commands on the console (at the workstation) and have a Drozer agent execute them on the Android device.

With this tool, a pentester can:

Retrieve package information

Identify the attack surface

Launch activities

Gather information from content providers

Test for SQL injection and other vulnerabilities on Android apps

Drozer has the advantage of being open source software. The public version can be downloaded here.

Pen-Testing Training

Frida is a dynamic instrumentation toolkit for developers, reverse engineers and security researchers.

Frida can hook into the running processes of the application and modify code on the fly, without requiring any re-launching or repackaging. This allows dynamic modification of app behavior and exploiting vulnerabilities that could allow, for example, bypassing a login or root detection.

Android Debug Bridge (ADB) is not a penetration testing tool per se. It is a versatile command-line tool for communicating with an Android device.

The ADB command allows for a variety of advanced device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device. ADB can also run as a client-server tool, and connect to various Android devices and emulator instances.

In the right hands, ADB is really useful for pentesters, as it can also be used to forward ports, run shell commands, pull files from devices or push files. It allows pentesters to explore the Android device file system, making it possible to identify and test vulnerabilities that can expose a mobile app to malicious attacks.

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

− = two

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam